Analysis
-
max time kernel
143s -
max time network
76s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 14:06
Behavioral task
behavioral1
Sample
h.exe
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
h.exe
Resource
win10v2004-20230220-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
h.exe
-
Size
37KB
-
MD5
629c0dfd3a9b0377cfe5f04629dc6b7f
-
SHA1
c4f7e46c7d2c6ee69d0747874a3a215101931751
-
SHA256
8026b74f56f884cf8aa106f6263dafdcad5b2bd8b458578aea30cc397e0de7c1
-
SHA512
4cf763c2b324bbf06fad474816fd8452c8917066c9f5e46bb852a6bb7f3951c1d7fa9c60a874de3f2c367b20b8dd3845a00811ba6ca9c55e67fa8610fa2367af
-
SSDEEP
384:DeLx1kit8Zf5W9cTYXyc/bBM0izvncnPMIurAF+rMRTyN/0L+EcoinblneHQM3ei:CLxKjjTYic/be0PM/rM+rMRa8NuH2t
Score
8/10
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
h.exedescription pid process Token: SeDebugPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe Token: 33 840 h.exe Token: SeIncBasePriorityPrivilege 840 h.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
h.exedescription pid process target process PID 840 wrote to memory of 1064 840 h.exe netsh.exe PID 840 wrote to memory of 1064 840 h.exe netsh.exe PID 840 wrote to memory of 1064 840 h.exe netsh.exe PID 840 wrote to memory of 1064 840 h.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\h.exe"C:\Users\Admin\AppData\Local\Temp\h.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\h.exe" "h.exe" ENABLE2⤵
- Modifies Windows Firewall